Software Security Testing Flashcards
A measure of the system’s ability to protect data and information from unauthorized access while still providing access to people and systems that are authorized
Security
An action taken against a computer system with the intention of doing harm is called an ____
Attack
CIA approach to security
- Confidentiality
- Integrity
- Availability
What are other security characteristics?
- Authentication
- Nonrepudiation
- Authorization
Data or services are protected from unauthorized access
Confidentiality
Data or services are not subject to unauthorized manipulation
Integrity
The system will be available for legitimate use
Availability
Verifies the identities of the parties to a transaction and checks if they are truly who they claim to be
Authentication
Guarantees that the sender of a message cannot later deny having sent the message, and that the recipient cannot deny having received the message
Nonrepudiation
Grants a user the privileges to perform a task
Authorization
Human or another system which may have been previously certified (either correctly or incorrectly) or may be currently unknown. A human attacker may be from outside the organization or from inside the organization
Source
Unauthorized attempt is made to display data, change or delete data, access system services, change the system’s behavior, or reduce availability
Stimulus
T/F Software design reviews can evaluate security
T
T/F Data flows (and therefore data flow diagrams) can not be used for security analysis
F, they can
T/F Reused and off-the-shelf software components should meet the same security requirements as new software
T
T/F Construction languages and their implementations (for example, compilers) are not serious contributors to security vulnerabilities
F
Special form of random testing aimed at breaking the software often used for security testing
Fuzz testing
T/F Security, in terms of access control and the backup facilities, is a key aspect of library management
T
Builds security in software by following a set of established and/or recommended rules and practices in software development
Secure software development
T/F A generally accepted view concerning software security is that it is much better to design security into software than to patch it in after software is developed
T
T/F Security faults and loopholes can be and often are introduced during maintenance
T
Deals with the clarification and specification of security policy and objectives into software requirements
Software requirements security
Specific functions that are required for the sake of security
Software requirements
Possible ways that the security of software is threatened
Threats/risks